Subj : Microsoft's latest Patch Tuesday is here - fixes numerous flaws, To : All From : TechnologyDaily Date : Wed Mar 15 2023 13:15:04 Microsoft's latest Patch Tuesday is here - fixes numerous flaws, some 'critical' Date: Wed, 15 Mar 2023 13:00:18 +0000 Description: March Patch Tuesday addresses almost 90 vulnerabilities. FULL STORY ====================================================================== Microsoft has just released its cumulative security update for March 2023, casually known as Patch Tuesday. In this months fix, the company addressed a total of 83 flaws, including nine critical vulnerabilities and two zero-day flaws that are being actively exploited in the wild. Breaking the patch down, Microsoft said it addressed 21 elevation of privilege issues, 2 security feature bypass flaws, 27 remote code execution vulnerabilities, 4 denial of service flaws, 10 spoofing flaws, and one Microsoft Edge / Chromium flaw. Fixing zero-days But perhaps the most important fixes are two zero-day vulnerabilities: flaws that were previously undisclosed and abused without victims knowing how to address them. This months zero-days include CVE-2023-23397, an elevation of privilege vulnerability found in Outlook, and CVE-2023-24880 -a security feature bypass vulnerability found in Windows SmartScreen. With the Outlook file, threat actors were creating emails that forced the target endpoint to connect to a remote URL and transmit the Windows accounts Net-NTLMv2 hash. "External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control," Microsoft explained. "This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim." The company added, saying that a known threat actor STRONTIUM was abusing this flaw. Read more > The first Microsoft Patch Tuesday of 2023 includes some rather important fixes > Microsoft's latest Patch Tuesday broke some VMs, but there's a fix > These are the best malware removal tools at the moment The second zero-day, found in Windows SmartScreen, allowed hackers to bypass the Windows Mark of the Web warning. When a file is downloaded from the internet, it gets a mark of the web signaling that it might potentially be malicious. "An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said. Check out the best web browsers ====================================================================== Link to news story: https://www.techradar.com/news/microsofts-latest-patch-tuesday-is-here-fixes-n umerous-flaws-some-critical --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .